#!

###########################
# VPN SSL Settings Web Portal
###########################
config vpn ssl web portal
edit mydomain1-web-access.local
set tunnel-mode disable 
set ipv6-tunnel-mode disable 
set web-mode enable 
set cache-cleaner disable 
set host-check none 
set limit-user-logins enable 
set mac-addr-check disable 
set os-check disable 
set virtual-desktop disable 
set auto-prompt-mobile-user-download disable 
set display-bookmark enable 
set user-bookmark enable 
#config bookmark-group
#edit "RDP-Kategorie"
#config bookmarks
#edit "RDP"
#set description "RDP-Connection"
#set apptype rdp
#set host 0.0.0.0
#set keyboard-layout de-ch
#set screen-height 768
#set screen-width 1024
#end
#end
#config bookmark-group
#edit "RDP-Kategorie"
#config bookmarks
#edit "RDP-Native"
#set description "RDP-Native-Connection"
#set apptype rdpnative
#set host 0.0.0.0
#set screen-height 768
#set screen-width 1024
#end
#end
#config bookmark-group
#edit "Intranet-Kategorie"
#config bookmarks
#edit "Intranet"
#set description "Intranet Site"
#set url "www.mydomain1.intra"
#end
#end
set display-connection-tools enable 
set display-forticlient-download disable 
set display-history enable 
set display-history-limit 10
set display-status enable 
set heading "Welcome to mydomain1.ch" 
set page-layout double-column 
# set redir-url www.mydomain1.ch
set theme blue 
set custom-lang en 
end
###########################
# VPN SSL Settings Tunnel Mode
###########################
config vpn ssl web portal
edit mydomain1-tunnel-access.local
set tunnel-mode  enable 
set ipv6-tunnel-mode disable 
set web-mode  disable 
set cache-cleaner disable 
set host-check none 
set limit-user-logins enable 
set mac-addr-check disable 
set os-check disable 
set virtual-desktop disable 
set ip-mode range 
set auto-connect disable 
set keep-alive enable 
set save-password enable 
set ip-pools net-mydomain1-ip-pool-ssl-vpn-198.18.1.0-25
set split-tunneling enable 
set split-tunneling-routing-address net-mydomain1-lan-198.18.0.0-24
set dns-server1 192.168.1.1
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
end
###########################
# VPN SSL Settings Realm
###########################
#
# Be careful and verify for new version HTML code
#
config vpn ssl web realm
edit "mydomain1"
set max-concurrent-user 100
set login-page "<html>
  <head>
    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
    <title>
      login
    </title>
    <meta http-equiv=\"Pragma\" content=\"no-cache\">
    <meta http-equiv=\"cache-control\" content=\"no-cache\">
    <meta http-equiv=\"cache-control\" content=\"must-revalidate\">
    <link href=\"/sslvpn/css/login.css\" rel=\"stylesheet\" type=\"text/css\">
    <script type=\"text/javascript\">
      if (top && top.location != window.location) top.location = top.location;
      if (window.opener && window.opener.top) {
        window.opener.top.location = window.opener.top.location;
        self.close();
      }
    </script>
  </head>
  <body class=\"main\">
    <center>
      <table width=\"100%\" height=\"100%\" align=\"center\" class=\"container\" valign=\"middle\" cellpadding=\"0\" cellspacing=\"0\">
        <tr valign=middle>
          <td>
            <form action=\"%%SSL_ACT%%\" method=\"%%SSL_METHOD%%\" name=\"f\" autocomplete=\"off\">
              <table class=\"list\" cellpadding=10 cellspacing=0 align=center width=400 height=180>
                <tr class=\"dark\">
                  <td colspan=2>
                    <b>
                      <br>
                      WARNING:
                      <br>
                      <p style=\"text-align:justify; margin-left:0px; margin-right:0px\">
                        You must have prior authorization to login to this system. All connections are logged and monitored. By login to this system you fully consent to all monitoring. Unauthorized login or use will be prosecuted to the full extent of the law. You have been warned!
                      </p>
                      <br>
                    </b>
                  </td>
                </tr>
                %%SSL_LOGIN%%
                <tr>
                  <td>
                  </td>
                  <td id=login>
                    <input type=button name=login_button id=login_button value=\"Login\" onClick=\"try_login()\" border=0>
                  </td>
                </tr>
              </table>
              %%SSL_HIDDEN%%
            </form>
          </td>
        </tr>
      </table>
    </center>
  </body>
  <script>
    document.forms[0].username.focus();
  </script>
</html>"
end
###########################
# VPN SSL Settings
###########################
config vpn ssl settings
set reqclientcert disable 
set sslv2 disable 
set sslv3 enable 
set tlsv1-0 enable 
set tlsv1-1 enable 
set tlsv1-2 enable 
#
# To increase security disable SSLv3, TLS 1.0
# as TLS 1.1 and set algorithm to "high".
#
#set tlsv1-0 disable
#set tlsv1-1 disable 
#set sslv3 disable
#set algorithm high 
#
set ssl-big-buffer disable 
set ssl-insert-empty-fragment enable 
set ssl-client-renegotiation disable 
set force-two-factor-auth disable 
set servercert Fortinet_Factory 
set algorithm default 
set idle-timeout 1800
set auth-timeout 28800
set auto-tunnel-static-route disable
set tunnel-ip-pools "net-mydomain1-ip-pool-ssl-vpn-198.18.1.0-25"
set dns-suffix mydomain1.local
set dns-server1 198.18.0.91
#set dns-server2  198.18.0.1
#set wins-server1 0.0.0.0
#set wins-server2 0.0.0.0
set route-source-interface disable 
set url-obscuration disable 
set http-compression disable 
set http-only-cookie enable 
set port 10443
set port-precedence enable 
set auto-tunnel-static-route disable 
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
set source-address6 "all"
set default-portal "mydomain1-web-access.local"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
unset source-address6
set source-address6-negate disable 
# set users local
set groups "gr-ssl-fc-tunne-vpn-mydomain1.local"
set portal "mydomain1-tunnel-access.local"
unset realm
set client-cert disable 
set cipher any 
set auth local
next
edit 2
set source-interface "wan1"
set source-address "all"
set source-address-negate disable 
unset source-address6
set source-address6-negate disable 
# set users local
set groups "gr-ssl-fc-web-vpn-mydomain1.local"
set portal "mydomain1-web-access.local"
set realm mydomain1
set client-cert disable 
set cipher any 
set auth local 
next
end
end
###########################
# IPSec Phase 1 FortiClient Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-fc
set comments "IPSec Phase1 FortiClient 5.0.x mydomain1-sg0e0"
set type dynamic 
set interface  wan1 
set ip-version  4 
set local-gw 0.0.0.0
set nattraversal enable 
set dhgrp 5 
set keylife 28800
set authmethod psk 
set mode aggressive 
set peertype any 
set xauthtype auto 
set mode-cfg  enable 
set proposal 3des-sha1 aes128-sha1 
set localid  ipsec-fc 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd enable 
set forticlient-enforcement disable 
set npu-offload enable 
set xauthexpire  on-disconnect 
set authusrgrp gr-ipsec-fc-vpn-mydomain1.local 
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set mode-cfg-ip-version 4 
set assign-ip-from range 
set add-route enable 
set ipv4-start-ip 198.18.1.129
set ipv4-end-ip 198.18.1.254
set ipv4-netmask  255.255.255.128
set dns-mode manual 
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#set ipv4-exclude-range 0.0.0.0
set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 
#set split-include-service  
set unity-support enable 
#set domain   
#set banner  
set include-local-lan disable 
set save-password disable 
set client-auto-negotiate disable 
set client-keep-alive enable 
set psksecret  "only4mydomain1!"
set keepalive 10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 FortiClient Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-fc
set comments "IPSec Phase2 FortiClient 5.0.x mydomain1-sg0e0"
set dst-addr-type subnet 
set dst-port 0
set encapsulation tunnel-mode 
set keepalive enable 
set keylife-type seconds 
set pfs enable 
set phase1name ipsec-fc 
set proposal 3des-sha1 aes128-sha1 
set protocol 0
set replay enable 
set route-overlap use-new 
set single-source disable 
unset src-addr-type subnet 
set src-port 0
set dhgrp 5 
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec Phase 1 IOS Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-ios
set comments "IPSec Phase1 IOS mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ip-version 4 
set local-gw 0.0.0.0
set nattraversal enable 
set dhgrp 2 
set keylife 28800
set authmethod psk 
set mode aggressive 
set peertype any 
set xauthtype auto 
set mode-cfg enable 
set proposal aes256-md5 aes256-sha1 
set localid ipsec-ios 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd enable 
set forticlient-enforcement disable 
set npu-offload enable 
set xauthexpire on-disconnect 
set authusrgrp gr-ipsec-ios-vpn-mydomain1.local 
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set mode-cfg-ip-version 4 
set assign-ip-from range 
set add-route enable 
set ipv4-start-ip 198.18.4.1
set ipv4-end-ip 198.18.4.126
set ipv4-netmask 255.255.255.128
set dns-mode manual 
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#set ipv4-exclude-range
set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 
#set split-include-service 
set unity-support enable 
#set domain
#set banner 
set include-local-lan disable 
set save-password disable 
set client-auto-negotiate disable 
set client-keep-alive disable 
set psksecret "only4mydomain1!"
set keepalive  10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 IOS Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-ios
set comments "IPSec Phase2 IOS mydomain1-sg0e0"
set dst-addr-type subnet 
set dst-port 0
set encapsulation tunnel-mode 
set keepalive enable 
set keylife-type seconds 
set pfs disable 
set phase1name ipsec-ios 
set proposal aes256-md5 aes256-sha1 
set protocol  0
set replay enable 
set route-overlap use-new 
set single-source disable 
unset src-addr-type subnet 
set src-port 0
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec Phase 1 Cisco Native Settings (Interface Based)
###########################
config vpn ipsec phase1-interface
edit ipsec-cisco
set comments "IPSec Phase1 Cisco Native mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ip-version  4 
set local-gw 0.0.0.0
set nattraversal enable 
set dhgrp 2 
set keylife  28800
set authmethod psk 
set mode main 
set peertype any 
set xauthtype auto 
set mode-cfg enable 
set proposal aes256-sha1 aes256-md5 
set localid ipsec-cisco 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd enable 
set forticlient-enforcement disable 
set npu-offload enable 
set xauthexpire on-disconnect 
set authusrgrp gr-ipsec-cisco-vpn-mydomain1.local 
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable 
set mode-cfg-ip-version 4 
set assign-ip-from range 
set add-route enable 
set ipv4-start-ip 198.18.5.1
set ipv4-end-ip 198.18.5.126
set ipv4-netmask 255.255.255.128
set dns-mode manual 
set ipv4-dns-server1 198.18.0.91
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
#set ipv4-exclude-range
#set ipv4-split-include
#set split-include-service 
set unity-support enable 
#set domain
#set banner 
set include-local-lan  disable 
set save-password disable 
set client-auto-negotiate disable 
set client-keep-alive  disable 
set psksecret "only4mydomain1!"
set keepalive 10
set distance 1
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 Cisco Native Settings (Interface Based)
###########################
config vpn ipsec phase2-interface
edit ipsec-cisco
set comments "IPSec Phase2 Cisco Native mydomain1-sg0e0"
set dst-addr-type subnet 
set dst-port 0
set encapsulation tunnel-mode 
set keepalive enable 
set keylife-type seconds 
set pfs disable 
set phase1name ipsec-cisco 
set proposal aes256-sha1 aes256-md5 
set protocol 0
set replay  enable 
set route-overlap use-new 
set single-source disable 
unset src-addr-type subnet 
set src-port 0
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
###########################
# IPSec L2TP Settings (Policy Based)
###########################
config vpn l2tp
set sip 198.18.4.129
set eip 198.18.4.254
set status enable
set usrgrp "gr-ipsec-l2tp-vpn-mydomain1.local"
end
###########################
# IPSec Phase 1 L2TP Settings (Policy Based)
###########################
config vpn ipsec phase1
edit ipsec-l2tp 
set comments "IPSec Phase1 L2TP mydomain1-sg0e0"
set type dynamic 
set interface wan1 
set ike-version  1 
set local-gw 0.0.0.0
set nattraversal enable 
set dhgrp 1 2 5 
set keylife 28800
set authmethod psk 
set mode main 
set peertype  any 
set xauthtype disable 
set autoconfig disable 
set proposal  3des-sha1 aes128-sha1 
set localid  ipsec-l2tp 
set localid-type auto 
set negotiate-timeout 30
set fragmentation enable 
set dpd enable 
set forticlient-enforcement disable 
set npu-offload enable 
set psksecret "only4mydomain1!"
set keepalive 10
set distance 1
set priority 0 
set dpd-retrycount 3
set dpd-retryinterval 5
next
end
###########################
# IPSec Phase 2 L2TP Settings (Policy Based)
###########################
config vpn ipsec phase2
edit ipsec-l2tp
set comments "IPSec Phase2 L2TP mydomain1-sg0e0"
set phase1name ipsec-l2tp 
set use-natip enable 
set add-route disable 
set proposal 3des-sha1 aes128-sha1 
set pfs disable 
set replay enable 
set keepalive enable 
set keylife-type both 
set encapsulation transport-mode 
set l2tp enable 
set protocol 0
set src-port 0
set dst-port 0
set dhcp-ipsec disable 
set keylifeseconds 3600
set keylifekbs 250000
next
end

